Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Impersonating a user

0 views
Skip to first unread message

Holmes F. Ives

unread,
Feb 6, 2002, 10:38:27 AM2/6/02
to
When updating programs sometimes the system requires the
user running the script to have admin rights to proceed
with the installation, how is it possible at this point in
the script to impersonate an admin account so as to
complete the script. As usual thanks for the assistance.

Torgeir Bakken

unread,
Feb 6, 2002, 11:03:43 AM2/6/02
to
"Holmes F. Ives" wrote:

Here is maybe something that can be used:

SFImpersonator from http://cwashington.netreach.net/

Tools\Com Objects N-Z :

<qoute>
SFImpersonator... Execute Code under the security context of another user.

Another MUST GET. Every NT administrator known to man could have a use for this
thing. No longer do we have to shell out to SU or RUNAS. More than that, it's
extremely easy to use. With this object one can impersonate the security context
of another user. Using the component in your code is as simple as the following.

</qoute>


Alternativly, for Win2k/WinXP MS runas.exe utility (su for WinNT) or WMI may be
used. Take a look at this thread for examples on this:

From: alexsyes (alex...@hotmail.com)
Subject: Re: Run Apps As Administrator?
Newsgroups: microsoft.public.scripting.wsh
Date: 2001-01-31 12:01:42 PST

You can use http://groups.google.com/advanced_group_search to fetch it :-)

The Runas utility can't take the password from the command line, but this can be
solved in a sort of a cludgy way by using some kind of sendkeys. You might get
something to work with AutoIt's SendKey method.

For su.exe you can redirect the password on the command line, so in that case
you don't need AutoIt, but then your admin password will be in cleartext for
snooping eyes.

If you use the standalone AutoIt (not the ActiveX version AutoItX) you can also
compile your AutoIt script into a exe and in that way "encrypt" your admin
password that is to be used bu runas/su. Another advantage with the standalone
version is that you don't need to install/register files on the local computer
to use it (like the AutoItX version). AutoIt is free and can be found here:
http://www.hiddensoft.com/AutoIt/


A possibly better solution is to buy one or more of the products listed below
from the Quimeras Company (http://www.quimeras.com). The two products on top
don't require something to be installed on the local computers and can be run
from login scripts etc.:

TqcRunAs 2002.1 Edition, for Windows 2000/XP
NTsu 3.1 "Run as..." Extensions for Windows NT 4.0
ANITA Server 2001.3 Edition (for a more complete solution)

--
torgeir


Holmes F. Ives

unread,
Feb 7, 2002, 6:13:53 PM2/7/02
to
Thanks for the tip. I tried the SFImpersonator.dll com
object found in CWashinton's site but it didn't work (at
least in Windows 2000). The Runas command line method
holds some promise but trying to figure out how to call
the program from within a script has proven difficult no
doubt because I'm not handling the quotes correctly, see
code line below:
Set grcFile = objShell.Namespace(sysDrive & "\Documents
and Settings\All Users\Application Data\Symantec\Norton
Antivirus Corporate Edition\7.6")
wshShell.Run "runas domain\administrator
grcFile.CopyHere "\\" & parentServer
& "\VPHOME\Grc.dat",1,False
Any suggestions greatly appreciated
>.
>

Torgeir Bakken

unread,
Feb 7, 2002, 7:09:52 PM2/7/02
to
"Holmes F. Ives" wrote:

> Thanks for the tip. I tried the SFImpersonator.dll com
> object found in CWashinton's site but it didn't work (at
> least in Windows 2000).

I just tried it on Win2000, worked flawlessly! You did register the dll? (that
is the downside with this dll/method, it has to be registred on all the client
pc's)


> The Runas command line method
> holds some promise but trying to figure out how to call
> the program from within a script has proven difficult no
> doubt because I'm not handling the quotes correctly, see
> code line below:
> Set grcFile = objShell.Namespace(sysDrive & "\Documents
> and Settings\All Users\Application Data\Symantec\Norton
> Antivirus Corporate Edition\7.6")
> wshShell.Run "runas domain\administrator
> grcFile.CopyHere "\\" & parentServer
> & "\VPHOME\Grc.dat",1,False

First, I would strongly recommend you to use the FileSystemObject CopyFile
method for the file copy of Grc.dat instead of Shell.Application.Namespace.

Secondly, Runas must have /user: added before domain\administrator. You must
also take into consideration if you need /profile and\or /env also.

For the third, RunAs can't run script code directly on the command line, only
executable files. Look at it as a command shell. To run a script from RunAs,
launch wscript.exe or cscript.exe with a vbs-file as input parameter from RunAs.
If the command input to RunAs contains spaces (like "wscript some_scriptfile"
does), it must be surrounded with ".

This is how to do it:

wshShell.Run "runas /user:domain\administrator ""wscript f:\wsh\tst.vbs"""

Be sure that the path/script name (the f:\wsh\tst.vbs part) does not contain
space(s)!

--
torgeir

Brian Z

unread,
Feb 8, 2002, 10:21:43 AM2/8/02
to
Would any of the techniques you mentioned in this thread help solve my
problem that my scripts using the Sendkeys method won't run on Win XP Home
when the password-protected screensaver is active? Script works fine
launched from the windows scheduler if the screensaver is not password
protected.
Thanks,
-Brian

"Torgeir Bakken" <Torgeir.B...@hydro.com> wrote in message
news:3C631750...@hydro.com...

Torgeir Bakken

unread,
Feb 8, 2002, 11:28:20 AM2/8/02
to
If your goal is "to select menu items from a running program" as you stated in
an earlier posting, from a script you must use SendKeys, and that will not work
under a password protected screensaver whatever you do. SFImpersonator.dll and
WMI should work under a password protected screensaver to start a script while
impersonating another user (but no SendKeys will work).

--
torgeir

Clarence Washington Jr.

unread,
Feb 8, 2002, 1:59:00 PM2/8/02
to
The user trying to initiate the com object has to have the logon as part of
the operating system right.
--
Clarence

Win32Scripting....
No, not that other one by Duke Publishing..... THE ORIGINAL...
http://cwashington.netreach.net

On THIS site you will find everything you need to get up and running. A
script repository (scriptDEPO) with almost 600 sample scripts, a tools
section with COM objects for scripting, a library of reference materials and
an online forum (discussionLOUNGE) and chat rooms to provide community based
technical support. All of this with no membership requirements, no need to
sign up for a passport... Completely FREE for you to use...

"Brian Z" <b...@home.com> wrote in message
news:O6M#YRLsBHA.2628@tkmsftngp03...

Torgeir Bakken

unread,
Feb 8, 2002, 2:22:42 PM2/8/02
to
"Clarence Washington Jr." wrote:

> The user trying to initiate the com object has to have the logon as part of
> the operating system right.
> --
> Clarence

And I guess that this answer should have been addressed to the original poster
Holmes F. Ives?

--
torgeir

SteveMcG

unread,
Feb 8, 2002, 4:54:28 PM2/8/02
to
If all you want to do is to update the NortonAV grc.dat file, why not
include it in the machine startup scripts? I've deployed NortonAV using a
machine startup script included in a group policy and was also able to run
simple batch files which accessed variuos parts of the C drive where only
administrators or power users would have had access. A machine script runs
before any user has logged on and runs in the system context. Looking at the
makeup of your sacript below indicates that you are looking at a win2k
environment where this should be possible,

HTH,

SteveMcG (MCSE/CNE)

"Holmes F. Ives" <hi...@cott.com> wrote in message
news:166101c1b02d$1be601c0$3aef2ecf@TKMSFTNGXA09...

0 new messages